Detecting Reconnaissance Process through packet analysis

Detecting Reconnaissance Process through packet analysis

TCP Port scan

Port scanning is process of analyzing the target machine’s ports in order to determine the types of service running on system. It also allows attacker to determine version of services and fingerprint the active services. Such analysis before actually attacking the targets forms a solid base for crafting a more focused attack over target machine. 

For a normal port scan there occurs a 3 way handshake between the attackers machine and target machine . Attacker machine sends TCP SYN request to destination machine port 80. If the target machine is active and running the particular service on that port it response back with SYN ACK packet, which is further acknowledged by attacker with ACK packet. This way it completes a 3way handshake between two communicating machines. Following 3 way handshake we see Data exchange between the two machines, followed by FIN packet to close the connection. IF the Destination machine did not run particular service on port 80 it sends TCP RST ACK packet across the cabling system.  Therefore if we see the lots if RST (Reset packet ) across the cabling system, it is indication of port scan being performed.

In this article of Network Forensics we will analyze the network log files to detect a port scan across the cabling system. Usually when a port scan occurs across the network we see a lot of Reset packets across the cabling system . we will use a Network Protocol analyzer called wireshark to view and analyze the Network traffic log files.

UDP Port scan

For UDP Port scan attacker sends UDP packet to destination machine at specific port ,If the target machine does not support that service it replies back with ICMP Type 3 packet ,which is Destination port unreachable. Such types of packets are not desirable on cabling system. Therefore excessive number of ICMP type 3 packets on cabling system indicates a UDP Port scan on network.

Lab Setup  

For analyzing the port scan process, we have a following lab setup 

Tools taken: KF sensor Honey pot, Windows XP machine, Backtrack machine, Wire shark Network Protocol analyzer.

 Honey pot is software that is setup on a machine and it pretends to run various services on that machine which lures an attacker of some juicy stuff. When attacker try to connect to it ,the IP of attacker is recorded and he /she can be further traced back.

To represent  the TCP Port scan , KF sensor is installed over windows xp machine with ip address 192.168.134.130 . Now port scan in made over it from another machine with IP 192.168.134.131

Following trace file is obtained using Wireshark Network Protocol sniffing 

As here we can see TCP SYN request made by attackers machine followed by TCP RST ACK , representing a service check over various ports of target machine. If the service would have been actually running then there would be 3 Way handshake between attacker and target machine. As noticeable from packet number 389  we see a TCP SYN request followed by SYN ACK and SYN, representing 3 way handshake.

If such a multiple RST ACK are observed on cabling system. Then it represents a port scan being performed over target in network.

So guyzz study and njoy

There is lot more to come... i will keep updating